Site icon API Security Blog

GO-2022-0380

The AccountClaims.IsRevoked and Export.IsRevoked functions improperly
validate expired credentials using the current system time rather than
the issue time of the JWT to be tested.

These functions cannot be used properly. Newer versions of the jwt package
provide an IsClaimRevoked method which performs correct validation.
In these versions, the IsRevoked method always return true.

(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt)Read More

Exit mobile version